Since the beginning of 2020, communities throughout the world—personal and professional—have been impacted in a way that was always only talked about in hypothetical scenarios, such as running an organization completely virtually. Belief in the technological prowess achieved by humans meant that this hypothesis would never come to be tested. The opposite is true.
There is not a facet of business that has not been impacted by COVID-19. Security and privacy-related matters now have to be looked at through a different lens.
At an enterprise level, working from home presents new and additional risk. Organizations will have to plan to identify, manage and mitigate the risk presented to them in this new normal. As long as teams were working from an access-controlled, audited, segregated and monitored environment, physical data protection risk areas were contained on the premises of the enterprise and more easily managed. In the work-from-home (WFH) scenario, the risk extends to the employee’s home, which becomes another point that has to be secured.
The invisible migration of workforces from an enterprise environment to the home environment has been a lock-stock-and-barrel migration for an indefinite period. Work contracts seldom mention the employer’s working from home policy; therefore, policy conflicts are bound to surface, not to mention contracts signed between vendors and clients governing the movement of data, hardware, assets and intellectual property.
Force majeure clauses (i.e., unforeseeable circumstances that prevent someone from fulfilling a contract) have been a part of enterprise contracts, similar to an enterprise’s own get-out-of-jail-free card, to help clients who might have had a watertight contract. In the new pandemic-induced working environment, the work must continue, and enforcing force majeure can bring about severance of ties only when the need of the hour is continuity.
Risk must be mitigated to ensure the sanctity of the data being worked on and reduce the liabilities associated with these risk areas. Enterprises must now look at deploying additional measures to address the new risk and compliance requirements.
It is the story of the new normal.
The New Normal
It has been discussed constantly over the last few months. Contrary to popular opinion, the new normal is not just new terminology to expedite digital transformation; it is not a gimmick. It is a clear challenge that has presented itself equally before individuals, enterprises and governments. Unlike ideas related to self-preservation (e.g., wearing masks, maintaining social distancing, washing hands regularly), security and privacy have always been perceived as the flagbearers of protecting an enterprise’s data, often with individuals considering it an impediment. The coronavirus-induced era of the distributed workforce and the absence of a physical office, albeit in the interim, change a number of metrics for individuals as much as these circumstances change the metrics for organizations. The reality is that the employee and the employer have to address this challenge together rather than in separate capacities.
The precursor to the question on personally identifiable information (PII) is about establishing a work contract between the employee and the employer, the client and the vendor, or other similar relationships.
“ALONG THE SAME LINES OF KEY PERSON INSURANCE AND EXECUTIVE INSURANCE, EMPLOYEE CYBERINSURANCE MAY BECOME A REALITY.”
It is important to look at the impact of WFH in the new normal from lenses that are critical to an organization.
Employee Work Contracts and Ways of Working
A work contract is sacrosanct and the basis of every conversation or negotiation when it comes to getting a fair value for the effort expended in executing the requirements mentioned in the work contract. Most work contracts between the employee and the employer mention the aspect of taking up work from home in passing, without any concrete rules to govern the same. Discretion of the manager has been the oft-touted approach.
It is telling from a contingency planning point of view that a contingency was always thought to be needed for a short-lived situation (e.g., hurricanes, storms, floods) and those which could result in resuming work after only a short period of WFH. It is safe to say that these contingency policies were inadequate, but things always appear clearer in hindsight.
As enterprises move to the new normal, the key things that need to be deliberated and included in work contracts are as follows:
- Clauses on confidentiality of information during WFH
- Dos and don’ts of employees working from home:
- Implementation of a zero trust architecture on the network
- Issuance of guidelines to employees on securing their home networks such as ensuring adherence to stringent password guidelines and updating the latest patches on the operating systems
- Completion of security training for employees
- Use of secure cloud infrastructure for remote users to have access to data
- Assurance of adequate network bandwidth for employees to perform their job responsibilities
- Consent for the installation of software and monitoring of usage of personal devices
- Examination of the compensation structure on expenses:
- Investment by the enterprise to provide adequate working conditions at home (e.g., buying furniture or equipment)
- Reimbursement of Internet charges
- Enterprise-identified accommodations
- Along the same lines of key person insurance and executive insurance, employee cyberinsurance may become a reality. Enterprises may have to make provisions for cyberinsurance-related risk arising from employees working from home.
- Just as employee background checks and drug tests have become a fact of life, physical audits of employee home offices and home networks may be required. Organizations will have to weigh the inclusion of rights of audit on the premises of the information against employee privacy concerns and rights. These are not as straightforward because domestic arrangements vary and can be a source of complexities (e.g., how to handle a scenario where an employee shares premises with friends who work for competitors, how to decide what kind of employee declarations will be required to mitigate risk and liability, how to determine if third-party audits of home offices are required).
“THE PANDEMIC-INDUCED ODC DOES NOT POSSESS THE SECURE PHYSICAL ENVELOPE THAT PROTECTED IT EARLIER, BUT THE GOOD NEWS IS THAT THE VIRTUAL NETWORK IS STILL AS SECURE AS IT WAS EARLIER.”
Customers and Contracts…
Privacy Isn’t Dead. Far From It.
Welcome! The fact that you’re reading this means that you probably care deeply about…